Control activities under sas 109 coso include

Research Paper 1

1. A title page (replace this page with your title page), proper grammar and a reference list.

2. A 2-3 page summary of the article – here’s a suggested method for writing the summary:

a. Read the article and make sure you understand it.

b. Outline the article. Note the major points.

c. Write a first draft of the summary without looking at the article.

d. Always paraphrase when writing a summary (don’t copy a phrase from the original unless you absolutely have to – it’s an important phrase and you do not want it to be misinterpreted). If this happens make sure you first put "quotation marks" around the phrase.

e. Start your summary with a clear identification of the, title, author, and main point in the present tense.

f. Check with your outline (see above) and the original to make sure you have covered the important points.

g. Never put any of your own ideas, opinions, or interpretations into the summary. This means you have to be very careful of your word choice.

h. Write using "summarizing language." Occasionally note that this is a summary by using phrases such as the author(s) argues, implies, etc.

JOURNAL OF INFORMAITON SYSTEMS Vol. 20, No. 1 Spring 2006 pp. 205–219

Research Opportunities in Information Technology and Internal Auditing

Marcia L. Weidenmier Mississippi State University

Sridhar Ramamoorti Grant Thornton LLP

ABSTRACT: This paper presents research opportunities in the area of information tech- nology (IT) within the context of the internal audit function. Given the pervasive use of IT in organizations and the new requirements of the Sarbanes-Oxley Act of 2002, in- ternal audit functions must use appropriate technology to increase their efficiency and effectiveness. We develop IT and internal audit research questions for three governance-related activities performed by the internal audit function-risk assessment, control assurance, and compliance assessment of security and privacy.

Keywords: IT / IS auditing; internal auditing; information technology; research oppor- tunities; Sarbanes-Oxley; corporate governance; risk management; secu- rity; privacy.

Data Availability: Please direct all comments and suggestions to Dr. Marcia Weidenmier.

I. INTRODUCTION

T his paper develops information technology-related research questions within the con- text of the internal audit function. The internal audit function (IAF) is one of the cornerstones of corporate governance along with the external auditor, executive man-

agement, and the audit committee of the Board of Directors (Gramling et al. 2004). The Board of Directors determines the overall governance process, which senior management implements and internal and external auditors evaluate, under the watchful eye of the audit committee (Blue Ribbon Committee 1999; Treadway Commission 1987).

The IAF occupies a unique and pivotal role in corporate governance. First, the IAF is an information gathering and reporting resource for the three other governance parties (Gramling et al. 2004). Second, the IAF is an integral part of the organization’s internal control structure. In fact, Rule 303A of the New York Stock Exchange requires listed companies to have an IAF. Third, the IAF executes important governance-related activities including risk assessment, control assurance, and compliance assessment, which are critical

We thank JIS editor Dan Stone for suggesting and encouraging us to write the supplemental technology chapter to the Research Opportunities in Internal Auditing (2003) monograph. We remain grateful to the IIA Research Foundation for granting us permission to reproduce, paraphrase, and / or use copyrighted materials in preparing this paper for the Journal of Information Systems. (Copyright 2004, The Pervasive Impact of Information Technology on Internal Auditing, by the Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201 U.S.A. Reprinted with permission.) The views expressed in this paper are the personal views of Dr. Sridhar Ramamoorti and do not reflect the views of, nor endorsement by, Grant Thornton LLP.

206 Weidenmier and Ramamoorti

Journal of Information Systems, Spring 2006

in complying with the new requirements of the Sarbanes-Oxley Act of 2002 (SOX). Internal auditors are central figures and function as a key support in providing assurance for meeting the requirements of SOX Section 302 (annual certifications of the completeness and ac- curacy of the financials by the CEO and the CFO) and Section 404 (external auditor attes- tation of the effectiveness of internal controls over financial reporting). As an integral part of corporate governance, internal auditors must now consider the ‘‘probability of significant errors, irregularities, or noncompliance’’ (Implementation Standard 1220.A1 [IIA 2004]) as they execute their governance-related activities.

As IT and business models become virtually inseparable and inextricably intertwined, IT is playing a pivotal role in corporate governance and SOX compliance. IT both enables and drives effective governance structures, risk management, and control processes because it (1) shapes an organization by influencing the governance structure selection and the organization’s level of risk (Boritz 2002; Parker 2001), (2) helps establish, maintain, and enforce new governance processes throughout the organization (Hamaker 2004; Fox and Zonneveld 2004), and (3) helps integrate the risk management and compliance proc- esses—improving reputation, employee retention, and revenue (by as much as 8 percent), and lowering costs of capital and insurance premiums (PricewaterhouseCoopers 2004).

IT’s rapid change is dramatically altering the IAF (Gorman and Hargadon 2005). Ac- cordingly, the Institute of Internal Auditors (IIA) requires internal auditors to understand how IT is used and should be used in an organization, as well as key IT risks, controls, and IT-based audit techniques (Implementation Standard 1210.A3 [IIA 2004]). Thus, given the new requirements of SOX and the IIA, both the IAF and IT have risen in prominence and impact within organizations.

In this new era of governance reform, ‘‘IT-internal auditing research’’ has become a critical imperative. Surprisingly, however, ‘‘while the role of assurance practitioners, from an external perspective, has often been publicly discussed and debated, the role of the internal auditor and the resulting changes have not been quite so publicized’’ (Boritz 2002, 232). Significant prospects exist for academic research in the areas of internal auditing and technology from theoretical and practical perspectives. To help encourage research on IT and the IAF, we develop research questions for three governance-related activities per- formed by the IAF: risk assessment, control assurance, and compliance work (Hermanson and Rittenberg 2003).

Our research builds on the following studies, which provide comprehensive syntheses of extant literature. Almost 30 years ago, Cash et al. (1977) reviewed existing studies and techniques on auditing and electronic data processing (EDP) (primarily from an external audit perspective) to encourage future EDP research. More recently, O’Leary (2000) dis- cusses the enterprise resource planning systems (ERPs) literature. The Information Systems Section of the American Accounting Association published Researching Accounting as an Information Systems Discipline (Arnold and Sutton 2002), which presents research oppor- tunities in a variety of areas including expert and group support systems, decision aids, electronic commerce, continuous and information systems assurance, and knowledge man- agement. Finally, Ramamoorti and Weidenmier (2004) develop IT-related research oppor- tunities in internal auditing for eight different areas, as part of the Research Opportunities in Internal Auditing (Bailey et al. 2003) monograph published by the IIA Research Foun- dation. We use the chapter by Ramamoorti and Weidenmier (2004) as our starting point.

The remainder of the paper develops IT-related research questions for each governance activity performed by the IAF. Section II focuses on risk assessment. Section III explores control assurance, while Section IV discusses two primary areas of compliance assess- ment—security and privacy. Section V concludes.

Research Opportunities in Information Technology and Internal Auditing 207

Journal of Information Systems, Spring 2006

II. RISK ASSESSMENT Traditionally, internal auditing used a control-based approach for planning its activities.

More recently, corporate governance focuses on risk management, providing the impetus for the IAF to move to a risk-based approach (McNamee and Selim 1998). In fact, the IAF, in the context of organizational risk assessment (Ramamoorti and Traver 1998), must iden- tify and assess risks to define the audit universe and to plan its engagements (IIA Perform- ance Standard 2010.A1). Unfortunately, organizations struggle with enterprise-wide risk management and ‘‘conflicting evidence exists regarding what [enterprise risk management] means and how common[ly] it actually is’’ implemented (Kleffner 2003, 66). Moreover, a lack of risk management frameworks, qualitative and quantitative risk metrics, and acces- sible central repository of actuarial data has hampered risk management efforts (Ozier 2003). To help overcome some of these obstacles, the Committee of Sponsoring Organi- zations of the Treadway Commission (COSO) released the 2004 Enterprise Risk Manage- ment (ERM) Framework that encompasses and expands its 1992 Internal Control-Integrated Framework. The ERM Framework presents an integrated framework with practical imple- mentation guidelines to ensure achievement of organizational objectives, reliable reporting, and regulatory compliance.

IT and the IAF are both integral components of ERM. The Board’s corporate gover- nance process directs senior management’s development and implementation of the risk management process, which the IAF must evaluate for ‘‘adequacy and effectiveness’’ as well as for ‘‘significant risks that might affect objectives, operations, or resources’’ (Sobel and Reding 2004; Implementation Standards 1220.A1 and 1220.A3 [IIA 2004]). IT also permeates the risk management process as a source of risk and as a tool to implement the following eight components of the ERM Framework: internal environment, objective setting, identification of events, risk assessment, risk response, control activities, information and communication, and monitoring (Ramamoorti and Weidenmier 2004). While research op- portunities exist for each Framework component, we focus only on the third and fourth components, identification of events and risk assessment, which we consider to be the pinnacle of the ERM Framework. To help the reader understand the context of our research questions, Figure 1 presents an overview of the Framework and its relationship to this paper. In addition, we now briefly describe how the other ERM Framework components relate to risk assessment and IT.

The first two ERM Framework components, the internal environment and objective setting, shape the organization’s risk assessment process. The internal environment reflects the organization’s risk appetite, or how much risk that management and the Board are willing to accept when conducting business, and is the basis for all other Framework com- ponents. Objective setting ensures that the organization has a process to define high-level strategic objectives as well as detailed operational, reporting, and compliance objectives that are consistent with its mission and risk appetite. Based on their strategic objec- tives, organizations must identify and assess the risk of events, which are internal or external incidents that may negatively affect strategy and the achievement of objectives.

The last four ERM Framework components—risk response, control activities, infor- mation and communication, and monitoring—delineate the organization’s response to the assessed risk. Organizations can avoid, minimize, share, reduce, or accept the assessed risk via their response to identified risks. Control activities ensure that risk responses are im- plemented via controls that support strategic, operational, reporting, and compliance objec- tives. An information and communication system must identify, analyze, and respond to new and existing risks as well as communicate needed information across the organization.

208 Weidenmier and Ramamoorti

Journal of Information Systems, Spring 2006

FIGURE 1 The Enterprise Risk Management Framework and its Relationship to this Paper

Internal Environment

Risk Response

Risk Assessment

Identification of Events

Objective Setting

Negative events

Positive events

Control Activities

Monitoring

Info & Communication

SECTION II: Risk assessment

SECTION III: Control assurance

SECTION IV: Compliance assessment

The Enterprise Risk Management Components are from COSO (2004a).

Moreover, in today’s rapidly changing business environment, the ERM plan requires con- tinuous monitoring that is real-time, dynamic, and embedded in the organization (COSO 2004a, 75) to ensure that the ERM plan evolves to effectively manage the organization’s risk.

IT is intricately intertwined with the components of the ERM Framework affecting how the organization manages risk. For example, the organization’s risk appetite affects its choice of IT, level of e-commerce, integration with business partners, and the use of emerg- ing technologies—all changing the risk of the organization. While strategic objectives in- fluence the IT infrastructure, IT can simultaneously help (1) shape strategy, (2) use oper- ational assets efficiently and effectively, (3) increase reporting reliability and regulatory compliance, (4) communicate information globally, and (5) ensure that the organization is operating within established risk tolerances, the acceptable level of variation around ob- jectives (PricewaterhouseCoopers 2003; Tillinghast-Towers Perrin 2001; Leithhead and McNamee 2000).

Keeping this framework in mind, we turn to the third and fourth components of the ERM Framework—the identification of events and risk assessment. Negative events are risks that must be assessed. Positive events are opportunities that may redirect the organi- zation’s objective setting process. The Framework identifies IT as an external event and an internal event. In fact, IT is the only item classified as both types of events. For external events, organizations must consider the impact of the changing e-commerce environment, the increasing availability of external data, potential technological interruptions, and emerg- ing technology (COSO 2004a, 47). For internal events, organizations must consider how data integrity, data and system availability, and system selection, development, deployment,

Research Opportunities in Information Technology and Internal Auditing 209

Journal of Information Systems, Spring 2006

and maintenance may affect their ability to operate (COSO 2004a, 46). IT also enables the organization to identify other events. As an enabler, IT can help internal auditors facilitate interactive group workshops, pinpoint areas of concern via escalation or threshold triggers, and identify trends and causes of risks by statistically analyzing historical data via data mining and data warehouses (Nehmer 2003; Searcy and Woodroof 2003; Rezaee et al. 2002).

Once the negative events (i.e., risks) have been identified, organizations must estimate the likelihood and timing of the events occurring and their impact on the organization. To estimate the financial impact of different time horizons and probable outcomes, internal auditors can use a variety of simulation, mapping, benchmarking, and modeling tools. Data warehouses and data mining can estimate the likelihood an event will occur, thereby sup- plementing managers’ qualitative estimates (Rezaee et al. 2002). Neural networks and data envelopment analysis (DEA) can also be used to assess risk, direct internal auditors’ atten- tion to high risk audit areas, and engage in ‘‘brainstorming’’ and ‘‘scenario building’’ ac- tivities that seek to track and monitor business risks as they develop (Kinney 2003, 149; Bradbury and Rouse 2002; Ramamoorti and Traver 1998). According to PricewaterhouseCoopers Internal Audit Services Practices, the IAF needs a level of IT sophistication that matches the level of risk that it is trying to manage (Heffes 2002); i.e., the concept of requisite variety applies to the IAF and the system it regulates (Weick 1969, 1979). While prior studies examine what tools the IAF uses (e.g., Hermanson et al. [2000]; annual IAF surveys by the Internal Auditor), we lack evidence regarding how well the risk identification and assessment tools used by the IAF match the organization’s current and planned level of risk and IT usage.

Understanding the impact of IT on risk assessment is especially important for organi- zations with ERPs. O’Leary (2000) and Addison (2001) state that ERPs expose organiza- tions to significantly different risks including business interruption, change management, process interdependency, privacy and confidentiality, data content quality, and system se- curity. Moreover, newly implemented ERP processes potentially alter and even weaken traditional segregation of duties, because traditional controls are often eliminated and not replaced during implementation (Bae and Ashcroft 2004). Wright and Wright (2002) de- lineate additional risks associated with ERP implementations from customization, process reengineering, bolt-on software (i.e., software from a different vendor that adds functionality to an ERP), and incompatibilities with organizational requirements. Thus, ERPs may not reduce control risk if organizations modify key process linkages and integrated controls are not fully implemented.

In light of these concerns, internal auditors must examine ERP risk carefully. Given the large variety of ERPs available, how is risk affected if organizations implement primary (manufacturing) versus support (financial and human resource) software components? Does risk vary with the specific ERP software (vendor) selected or with internal audit involve- ment? How much risk exists if organizations do not convert from existing legacy systems to ERPs?

As a starting point in answering these questions, Wright and Wright (2002) report that then-Big 5 information systems auditors identify supply-chain and payroll ERP subsystems as having the highest control and security risks. Other areas of concern include interfaces with legacy systems and non-ERP bolt-ons. Interviewees also state that the major vendor ERPs differ in terms of access and encryption controls as well as input devices and controls. External information systems auditors also appear not to be concerned with the security and control risks of business intelligence systems (Wright and Wright 2002). To better understand how organizations manage and control ERP risks, future research can determine

210 Weidenmier and Ramamoorti

Journal of Information Systems, Spring 2006

how the IAF’s perspectives compare to those of external auditors and whether internal auditors consider the risks of business intelligence systems and other areas that are appar- ently overlooked by external auditors (Wright and Wright 2002). Given that internal au- ditors work in the same organizational environment with the same system(s) all year, their depth-oriented viewpoints are likely to be different than the breadth-oriented viewpoints of external auditors who work on multiple clients (and systems). In addition, future research could examine the underlying software (O’Leary 2002) to understand how the actual risks match those perceived by internal and external auditors.

Kinney (2003, 147) asks, ‘‘How does IT affect risk, risk assessment, and risk manage- ment?’’ Answering this question requires a better understanding of the differential impact of internal and external factors on the organization’s use of IT in risk assessment. For example, organizational structure and its use of IT may affect the ERM process. Kleffner (2003) identifies silo (or functional) organizational structure, resistance to change, lack of qualified personnel, and need for internal controls and review systems as deterrents to ERM. Similarly, Wah (2000) identifies traditional silo structure as among the top barriers to suc- cessful ERP implementations. Thus, organizational structure appears to affect the success of ERM and ERP implementations. It would be interesting to investigate whether firms that have successfully implemented ERP are more likely to successfully implement an ERM process.

Hunton (2002) suggests that internal auditors may be able to reduce the risk associated with the organization’s IT by participating throughout the entire system’s life cycle. Extant research also finds that the involvement of information system (IS) auditors in the systems development stage reduces future software maintenance costs (Wu 1992), indicating that risks (from software and control errors) should be reduced as well. Unfortunately, despite the potential to reduce future costs, internal auditors spend the least amount of their time on the development, acquisition, and implementation of new systems (Hermanson et al. 2000).

Why are internal auditors not more actively involved in the development, acquisition, and implementation of new systems? Prior research suggests that this is because of inde- pendence and objectivity concerns (Boritz 2002). However, extant literature (generally) finds that IAF quality depends more on work performance than independence, objectivity, and competence (Gramling et al. 2004). Moreover, Krishnamoorthy’s (2001, 2002) analyt- ical models suggest that the relative importance of objectivity, work performance, and competence varies with audit conditions. On the other hand, extant literature reports con- flicting evidence regarding whether internal auditors’ judgments and decisions are affected by prior design involvement (Grabski 1986; Gramling et al. 2004). Therefore, more research is needed to determine the net benefits of IAF participation in each stage of the system’s life cycle.

Internal auditors, outsourced internal audit service providers, and external auditors make risk assessments. Inconsistent evidence exists regarding whether the risk assessments made by these various parties are the same. For example, Hunton et al. (2004) find that external then-Big 5, IT auditors assess higher risks in ERP than non-ERP systems when compared to external Big 5, non-IT auditors. However, Grabski et al. (1987) report no differences in the internal control evaluations of EDP and non-EDP internal auditors. Church and Schneider (1995) find that internal auditors are more likely to generate cutoff errors than external auditors, but Blocher (1993) finds that internal auditors are less likely to use analytical procedures compared with external auditors. Moreover, Caplan and Embry (2003) find that internal auditors, outsource providers, and external auditors make similar judg- ments about the severity of internal control weaknesses; where there are differences, the

Research Opportunities in Information Technology and Internal Auditing 211

Journal of Information Systems, Spring 2006

evaluations of outsourced internal auditors tend to fall between internal and external au- ditors. On the other hand, in a study of the relative importance of risk factors for fraud, Apostolou et al. (2001) report that the mean decision models of Big 5, regional, and internal auditors are not significantly different.

In light of these mixed results, how do the overall risk assessments of internal, external, and outsourced (IT and non-IT) auditors compare? Extant research does not fully support the correlation between external auditor’s risk assessments and audit plans (Zimbelman 1997; Mock and Wright 1999). Do internal auditors incorporate IT considerations into risk assessments and their subsequent audit plans (see Church et al. 2001)? The audit committee now expects the IAF to monitor, evaluate, and report recommendations for the organiza- tion’s risk management process (COSO 2004b, 104). Given the growing importance of risk management, outsourcing opportunities, and the expanding role of the IAF, audit commit- tees need answers to these questions.

III. CONTROL ASSURANCE Control assurance is another important governance activity performed by internal au-

ditors. To ensure that risk responses are implemented, audit committees rely on the IAF to determine if internal controls effectively support strategic, operational, reporting, and com- pliance objectives (Gendron et al. 2004). This task is critical because ‘‘a strong system of internal control is essential to effective ERM’’ (COSO 2004c, slide 22).

Traditionally, corporate governance was synonymous with organizational oversight by various committees, internal auditors, and external auditors. This was a costly, misleading, and disempowering approach because businesses did not make IT governance (risk and compliance) investments a high priority (Meyer 2004). An alternative, and better, approach makes compliance integral, not incremental, by embedding IT controls throughout the or- ganization’s business processes (PricewaterhouseCoopers 2004). Embedded controls ensure compliance at the time of the business process entry, making employees systematically follow governance directives, ultimately changing the organizational culture (Heffes 2004; Meyer 2004).

While corporate governance and ERM are rising into prominence, investors are increas- ingly IT-literate and sophisticated, now worrying about IT’s risk to operations, and scruti- nizing IT investments and system efficiency (Huber 2002). Together these forces drive the demand for a new type of governance, ‘‘IT governance,’’ which coordinates IT with business objectives to establish effective IT controls efficiently (ITGI 2004). The relationship be- tween IT and governance exhibits ‘‘reciprocal causation.’’ In other words, they feed into, shape, and fuel the demand for each other (Hamaker 2004).

Organizations can also use IT—as an enabler—to help comply with SOX Sec. 404 requirements that external auditors attest to management’s assessment of the effectiveness of internal controls relevant to financial reporting. In fact, PCAOB Auditing Standard No. 2 encourages the implementation of entirely IT automated application controls by allowing the external auditor to utilize a benchmarking (and audit efficiency-increasing) strategy when there are effective IT general controls. The PCAOB’s rationale seems to be that entirely IT automated application controls are not subject to breakdowns resulting from human failure (e.g., error, complacency, distraction) and, once properly defined, should continue to perform effectively (PCAOB 2005). This new environment requires controls that are automatic, dynamic, integrated, preventive, multi-compensating, real-time, and in- clude sound authentication procedures and secured audit trails (Parker 2001), which can only be accomplished through automated IT controls.

212 Weidenmier and Ramamoorti

Journal of Information Systems, Spring 2006

But, do controls implemented in organizations achieve these high standards? Despite the increased demand for IT controls, even the largest organizations still use manual controls for compliance processes—increasing the likelihood of compliance failures considerably (PricewaterhouseCoopers 2004) and leading to the question: Why do most companies still continue to use manual compliance controls? Is it because IT usage has generated significant operational problems (see ITGI 2004)? Or is IT implementation too costly? Perhaps senior management is still wary of utilizing IT for governance-related activities because they are unfamiliar with its deployment or unsure of its impact.

IT can automatically monitor control effectiveness and changes and automatically iden- tify control weaknesses in ERPs. Organizations can also use IT for ‘‘corrective control’’ purposes to identify these gaps, e.g., control mapping with alarms and alerts (Alles et al. 2004) and segregation of duties analysis software (Lightle and Vallario 2003). How effective are these monitoring and corrective controls? Are there systematic differences (e.g., IT placement in organization, existence of integrated IT governance process, IAF character- istics) in the companies that use these IT controls versus those that do not?

SOX Sec. 404 requires that a control framework be used but does not specify which framework. Perhaps the most popular choice is the 1992 Internal Control-Integrated Frame- work by COSO. Despite its formal publication and release over a decade ago, many users are unfamiliar with the COSO framework, particularly as it interacts with IT applications. Few firms showed interest in COSO until SOX’s passage (Alles et al. 2004; Hermanson 2000). Other potential control frameworks include CobiT (Information Systems Audit and Control Foundation, ISACA), e-SAC (IIA), CoCo (Canadian COSO) and SAS Nos. 55, 78, and 94 (AICPA Professional Standards). (See Hermanson et al. [2000]; Curtis and Wu [2000]; Colbert and Bowen [2005] for a comparison of the frameworks.)1

Because of the new SOX 404 disclosure requirements, researchers can more easily identify which control framework organizations use to evaluate their controls for initial (and subsequent) annual report filings. Promising research questions include: Are there system- atic differences in the framework selection (i.e., industry, size, IAF characteristics, IT char- acteristics, external auditor, supply partner integration, or international presence)? Are there systematic control weaknesses in certain industries? How does an organization’s Sec. 404 internal control opinion affect the overall audit opinion? Carcello et al. (2002) examine audit committee disclosures and state that future research can determine (1) whether com- panies with more complete disclosures have fewer internal control failures and (2) whether enhanced disclosures improve internal control effectiveness. The new SOX 404 internal control attestation report should help answer these two questions as well as other gover- nance questions about the interactions among the audit committee, the external auditor, the IAF, management’s assessment of the effectiveness of controls over financial reporting, and financial-reporting quality.

Obtaining better internal control effectiveness requires answers to the following ques- tions: Which (COSO) control components are the strongest and weakest in organizations? How does the selected framework affect the (IT) audit? Are internal controls more effective when the organization has a well-developed ERM process? Moreover, PCAOB Auditing Standard No. 2 does not prescribe the scope or the required amount of testing of internal

1 CobiT stands for Control Objectives for Information and Technology. eSAC is the electronic version of the IIA’s Systems Auditability and Control guidance. CoCo stands for Criteria of Control developed by the Canadian Criteria of Control Board. SAS 55 is the AICPA’s Statement of Auditing Standard No. 55 (SAS No. 55) titled The Consideration of the Internal Control Structure in a Financial Statement Audit. SAS No. 78 amends SAS No. 55. SAS No. 94 is titled The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit.

Research Opportunities in Information Technology and Internal Auditing 213

Journal of Information Systems, Spring 2006

controls (Brady and Postal 2005). How much testing is needed to be effective? Research is needed to determine which method(s) might be best for evaluating controls, how much testing is needed to be effective, and whether SOX has changed the IAF’s priorities and use of resources as well as how it views, evaluates, and monitors controls? Furthermore, a survey by ACL Services Ltd. and the Center for Continuous Auditing finds that 67 percent of organizations do not have a budget for continued compliance with SOX after the initial filing deadline, indicating a short-term compliance response (Anonymous 2004). Research is needed to determine the long-term effects and effectiveness of SOX and compliance by organizations.

Finally, large organizations (with over $5 billion in revenues) are spending approxi- mately $4.36 million to comply with SOX Sec. 404, which requires management to assess the organization’s internal controls only over financial reporting (Levinsohn 2005). Given the increased focus on sound corporate governance by SOX, internal auditors could reduce organizational risk by expanding the audit scope to include the entire underlying database.2

In other words, ‘‘substance attestation’’ may shift to ‘‘process attestation’’ through contin- uous control monitoring techniques that focus on the process rather than the financial state- ment numbers generated (Pacini and Sinason 1999). Are internal auditors adjusting their audit procedures (appropriately) for increased IT usage and the audit of the entire opera- tional database? What barriers, if any, exist?

IV. SECURITY AND PRIVACY COMPLIANCE ASSESSMENT Internal controls also help ensure compliance with applicable laws and regulations

(COSO 2004a, 109), an activity that becomes even more important in heavily regulated industries such as healthcare and financial services. Accordingly, yet another significant governance activity performed by internal auditors is compliance assessment. We develop research questions focusing on two increasingly important areas of compliance—privacy and security. Privacy and security have been identified as two of the ‘‘Ethical Issues of the Information Age’’ (Mason 1986; Sutton et al. 1999). They help ensure data integrity to support the governance and risk processes and must be part of the ERM process. IT acts as both a driver and enabler for compliance. As a driver, IT poses additional security and privacy risks of its own (e.g., cyber-security breaches, or unauthorized disclosure of con- fidential consumer information). As an enabler, IT can help mitigate these risks.

Personal privacy is eroding as IT enables organizations to collect, store, and ubiqui- tously retrieve more consumer information than ever before, e.g., using cookies, web bugs, and port scans (Spinello 1998; King 2001). IT increases the risk that information may be accidentally or maliciously compromised, through hacking or other forms of ‘‘cyber- terrorism.’’ Given this environment, several laws have been passed to protect the privacy of consumers such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Identity Theft and Assumption Deterrence Act, and the Gramm-Leach-Bliley Act (GLBA). Noncompliance with these laws, as well as failure to protect other data, exposes the organization to potential lawsuits, financial losses, and loss of repu